About ash83

Hi Community,   What's the source IP used by the Palo Alto when doing a HA - Path Group -> virtual router path check?   Thanks. ... View more

Hi community,   Which partitions are used to store the PAN-OS files?     fw> show system disk-space   Can unused PAN-OS files be removed from the CLI?   Is there a KB available with information on how these partitions work, and what they are used for?   Is there a way to access the shell mode from the CLI?   Thanks.   ... View more

Hi community, In a situation where there is a security policy allowing: SOURCE Source IP: any Source Zone: outside DESTINATION Destination IP: public IP 1.2.3.4 -> NAT'd to private IP 10.10.10.10 (servername1) (the security policy is using the post NAT zone). The inbound NAT is also correctly configured, and NATing correctly. APP: appX -> any APP which uses tcp/dynamic ACTION allow The service provided by servername1 has to be available to the world, and it is serving APP=appX content (using dynamic tcp ports) The above scenario will efectively allow any IP to access 1.2.3.4 -> 10.10.10.10 (servername1) using APP=appX on ANY tcp port. Restricting the source IPs to some IPs, or country, continent etc is not an option, as it is a service that needs to be available to anyone on the internet. Is it not using appX -> any APP which uses tcp/dynamic a huge security risk, as a it is allowing connection on any tcp port, and this will end up taking down 10.10.10.10 (servername1) after it cannot handle any more connections? The only solution I can think off is to stop using appX in the above scenario, and try to use service (L4 instead) - which is not really a Palo Alto friendly approach. Any idea(s) would be much appreciated. Thanks. ... View more

Hi community,   Having reviewed:   https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/upgrade-to-pan-os-81/upgrade-the-firewall-to-pan-os-81/determine-pan-os-upgrade-path#id181QEN0D0QY   and   https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/upgrade-to-pan-os-81/upgrade-the-firewall-to-pan-os-81/upgrade-an-ha-firewall-pair-to-pan-os-81#idab14f5f2-f662-4e5c-ba5b-2cc35993e2ec     Is this the right upgrade path to be followed?   A) 8.0.7 to 8.0.12 8.0.12 to 8.1.1 8.1.1 to 8.1.3   or (skipping 8.0.12 to 8.1.1-> unsure whether or not this is required)   B) 8.0.7 to 8.0.12 8.0.12 to 8.1.3   And lastly, what is a feature realease? :"When you upgrade from one PAN-OS feature release version to a later feature release, you cannot skip the installation of any feature release versions in the path to your target release."    Thanks. ... View more

Hi,   I am trying to test ping from zone A to zone B using 2 hosts IPs which belong to their respective zones. What is the correct way to specifically test application ping?   fw1(active)> test security-policy-match application ping from from zone_1 to zone_2 source 192.168.1.1 destination 192.168.2.1 Server error : argument protocol is required   Ping does not use TCP or UDP. It uses ICMP. To be more precise ICMP type 8 (echo message) and type 0 (echo reply message) are used. ICMP does not have ports   Is it possible to test the above using the CLI prior to deploying a firewall to test ping between hosts?   Thanks.     ... View more